Sometimes you just want to see what connections your machine is making to the outside world and what ports it’s using. While wireshark and tcpdump are really nice for inspecting detailed package contents. IPTraf is really about connections and interface statistics. Because iptraf is based on ncurses the program can be run from a text-console and still have a (primitive) `gui`. Navigation through the menus can be done using your arrow keys. Most of the time all the available options and their keys are shown on the bottomline of the sreen.

Starting up

By default the program is not accessible by ‘normal’ users so you’ll need root access. Also iptraf can put your interfaces in promiscuous mode (this will probably show up in your logfiles as: ‘device eth0 entered promiscuous mode’). Promiscuous mode can be turned off and on in the configuration menu. If no options are given through the commandline iptraf starts up with a splashscreen and then a menu. Some of the menuitems can be reached directly from the commandline (try using ‘iptraf -i all’ if you want to startup in IP traffic monitoring mode).

Configuration

There are some configuration options you might want to check. Turning on reverse DNS Lookups and service names comes in handy when using the IP traffic monitor. Iptraf comes with a separate reverse lookup server -rvnamed- wich is only started and used by iptraf to keep it from hanging on slow lookups. If there’s a lot of network traffic on your box try applying some filters.

Filtering

Filters can be useful if you only want to see info about traffic on certain connections, ports and/or protocols. Filters can be saved, deleted and edited. Multiple rules can be defined.

2 Responses

Great article, I love how you include screenshots of the GUI. I think IPTraf has to be one of the best live network analysis tools out there - current traffic flow rate per interface / per connection are two key points where this is a winner over a direct tcpdump for me. All in ncurses!

I’ve used iptraf for years but cannot see traffic other than that intended for localhost - with or without promisc mode. What am I missing? Debian etch “Linux palmetto 2.6.18-4-686 #1 SMP Wed May 9 23:03:12 UTC 2007 i686 GNU/Linux”